Part 5: Creating DMARC Record to Protect Your Domain Name From Email Spoofing
In part 4 of building your own email server tutorial series (Ubuntu version, CentOS/RHEL version), we implemented SPF and DKIM records to improve email deliverability. In this part, we’re going to look at another email authentication technology: DMARC. We will discuss how DMARC can benefit you, how to create DMARC record and interpret DMARC report.
What is DMARC?
DMARC stands for Domain-based message authentication, reporting and conformance. DMARC is not a product. It’s a freely available technical specification and widely supported across the Internet. Anyone owning a domain name can take advantage of DMARC.
A DMARC policy allows a domain owner to indicate that emails from his/her domain is protected by SPF and DKIM. You can use DMARC to discover all legitimate sources of email. DMARC builds upon two existing technologies: SPF and DKIM.
DMARC Benefits
Why is DMARC good for you? The benefits of deploying DMARC are:
- Fraud detection: Phishers often spoof the
From:
header address to impersonate big brands. DMARC is a powerful tool to fight against email phishing and thus protect your brand. - Simplified email delivery: Sending DMARC-compliant email allows receiving email servers to simplify filtering rules.
- Your email domain reputation can be improved after you create DMARC record correctly.
- Gives senders visibility into how receiving email servers process their email. You can get a report of how many legitimate emails are sent from your domain, how many emails can’t be authenticated including both legitimate and fraudulent ones.
This is a pretty big deal to any organization that relies on email for its day-to-day business. If you are doing email marketing, then DMARC is a must-have tool to make email easy to deliver and reach customers. Pretty much every major consumer-facing mailbox provider like Gmail, Yahoo and Microsoft ask to be sent DMARC-compliant email to make their job of filtering emails easier.
How to Create DMARC Record
DMARC policies are published as a TXT record in DNS.
Step 1: create SPF and DKIM records
Before creating a DMARC record, you must create SPF and DKIM records first.
Step 2: Identifier alignment
Send a test email from your domain, then check the raw email headers at the recipient’s mailbox. You want to make sure the domains in Return Path, From: header and d=domain in the DKIM signature are the same. If the 3 domains are identical, then they are aligned.
If Return-Path or DKIM d=
uses a subdomain instead of the main domain name, then this is called relaxed alignment. If no subdomain is used and the main domain names are the same, it’s called strict alignment.
Step 3: Setting up the DMARC record
Go to your DNS manager and add a TXT record. In the name field, enter _dmarc
. In the value field, enter the following:
v=DMARC1; p=none; pct=100; rua=mailto:[email protected]
Explanation:
v=DMARC1
: The protocol version is DMARC1.p=none
: We choosenone
as the policy for our domain.pct=100
: The percentage of emails from your domain DMARC applies torua
stands for reporting URI for aggregate report. The email address is used to tell receiving email servers where report should be sent. Replace[email protected]
with your real email address that is used to receive aggregate DMARC report.
There are 3 policies you can choose from:
none
: tells receiving email servers not to do anything special if DMARC check fails.quarantine
: tells receiving email server to put the email intoquarantine
if DMARC check fails. It must be approved by an admin before it can reach the recipient’s inbox.reject
: tells receiving email servers to reject the email if DMARC check fails. Note that not all receiving email servers comply with thereject
policy. Gmail and Yahoo Mail will reject the email, but Microsoft Mail (Outlook, Hotmail, Live) doesn’t reject the email.
If your domain name has sent some emails before, thenp=none
is a good start. You should analyze the data for some time to see if there are legitimate emails that don’t comply with DMARC. Once you have enough data and fix the delivery problems, you can change the policy from none
to quarantine
or reject
.
If you have a new domain name that has never sent emails before, you can skip none
and quarantine
and set p=reject
.
There’s another tag that you can add to the DMARC record: fo
. It has four possible values.
0
(default): generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result1
: generate reports if any mechanisms fail.d
: generate a report if DKIM signature failed verification.s
: generate a report if SPF failed
I recommend using fo=1
first to generate more comprehensive DMARC failure reports. When you change to a more restrictive policy, use fo=0
.
v=DMARC1; p=none; pct=100; fo=1; rua=mailto:[email protected]
You can check your DMARC record from Linux terminal with the following command:
dig txt +short _dmarc.example.com
You can see that I used two email addresses to receive DMARC report, which I will explain later. There’s another command-line tool (opendmarc-check
) that you can use to check DMARC record. It’s provided by the opendmarc
package.
sudo apt install opendmarc
opendmarc-check
queries the DNS for a DMARC record for the named domain and then translates the content found to a human-readable form.
If you have a domain name that’s not going to send emails, you should use p=reject
policy.
v=DMARC1; p=reject; pct=100;
DMARC Test
A good service for DMARC test is https://www.mail-tester.com. Go to the website, you will see a unique email address. Send an email from your domain to this address and then check your score. (This website check all factors that affect email deliverability, not just DMARC.) If DMARC passes, then you will see something like below in the test result.
Another way to test DMARC is send an email from your domain to your Gmail account. If DMARC is configured correctly then you will see dmarc=pass in the authentication-results header. (To view email headers in Gmail, click the Show Original
button, which can be found in the drop-down menu on the right side of an opened email.)
To pass DMARC check, your emails need to meet one of the following requirements.
- SPF pass and the
Return-Path:
domain name is the same as theFrom:
header domain. - DKIM pass and the
d=
domain in DKIM signature is the same as theFrom:
header domain.
By default, DMARC uses relaxed alignment. So the Return-Path domain or the d=
domain in DKIM signature can be a subdomain.
How to Interpret DMARC Report
There are two kinds of DMARC reports.
- Daily XML-based aggregate report generated by Gmail, Yahoo, Hotmail, etc.
- Real-time forensic reports (copies of individual pieces of email that fail the DMARC check)
Normally you only want to receive the aggregate report. The data that DMARC produces is invaluable for understanding what is going on for any given email domain. However, raw DMARC report data is super hard to read and understand. Luckily, Postmark offers a free service to process these reports, presents you a much more readable report. The nice part about Postmark is that you can tell receiving email servers to send XML reports directly to Postmark for processing. So instead of entering your email address in the DMARC record, you enter an email address of postmarkapp.com that is unique to you.
v=DMARC1; p=none; pct=100; fo=1; rua=mailto:[email protected];
You can also specify multiple email addresses, separated by commas.
v=DMARC1; p=none; pct=100; fo=1; rua=mailto:[email protected],mailto:[email protected];
After your DMARC record has been verified by Postmark, you will receive a DMARC report weekly every Monday in your email inbox. You don’t need to register an account at Postmark.
Below is my first weekly report sent from Postmark. mcsignup.com belongs to MailChimp, which is what I use to send newsletters to my mailing list. In my SPF record, I actually allow MailChimp to send emails on my behalf, but I didn’t know that they don’t use my domain name in the Return-Path header for the signup confirmation emails. And they don’t sign emails using my DKIM domain.
There’s also an unknown source that claims to be linuxbabe.com.
First, I always treat IP address that doesn’t have reverse DNS record as spam. Then, to identify other unknown sources, I will check if it’s on an email blacklist. debouncer.com tells me that it’s on 13 blacklists. So clearly it’s a spammer trying to impersonate my domain name.
To better understand the unknown source and how your domains are used, you can choose to receive forensic report by adding the ruf
tag in DMARC record like below.
v=DMARC1; p=none; pct=100; fo=1; rua=mailto:[email protected]; ruf=mailto:[email protected];
The forensic report contains the copies of emails that failed DMARC check. You can see the email headers, subject lines, and sometimes message body to determine the nature of failed emails. If you recognize the subject line, then it’s more likely to be a forwarded message. Note that some email servers may choose to generate aggregate reports but not forensic report due to privacy concerns and others may only include email headers in the forensic report.
When does SPF or DKIM Fail?
A typical example of SPF failure is when your emails are relayed to the destination email server through a third-party server. And the common situation where DKIM fails is when your emails are sent through a mailing list, which often adds additional headers or sentences to your emails. Actually, a mailing list can cause SPF failure too.
There are two kinds of mailing lists.
- Announcement mailing list. Typically used by websites to send newsletters. The mailing list owner can send messages to a large number of subscribers, whereas subscribers can only reply to the mailing list owner.
- Discussion mailing list, where subscribers can send messages to all other subscribers. This is common in the open-source community. GNU mailman is the most popular software to set up such a mailing list.
This first kind is easy to tackle because the domain owner is a customer of the mailing list server provider. It’s easy to add the mailing list server to SPF record. Also, the mailing listing server can do DKIM signing for customers.
The second kind of mailing list is difficult to tackle for domain owners who have users participating in discussions in various mailing lists. The domain owner can’t list all possible discussion mailing list servers in SPF record, and these mailing lists can’t do DKIM signing for other domain names. A possible solution is that the mailing list uses its own address in the From:
header, and adds the original email sender’s address in the Reply-To:
header. More details can be found on this GNU mailman wiki page. A more practical and promising solution is ARC (Authentication Received Chain), which basically means that mailing lists do DMARC check and sign the DMARC result. Receiving email servers can trust the ARC signature and override local DMARC check results.
When Should You Switch to p=reject Policy
You should wait enough time to receive lots of DMARC report. Don’t be surprised when you see false positives in your DMARC report. Analyze these false positives and take action to make sure they can pass DMARC check. After that, switch your DMARC policy to p=quarantine
and eventually p=reject
. Do not skip quarantine
and go straight to reject
. When you switch to a more strict DMARC policy, consider changing the value of pct
tag.
So the overall process goes like this:
- p=none; pct=100;
- p=quarantine; pct=30;
- p=quarantine; pct=70;
- p=quarantine; pct=100;
- p=reject; pct=30;
- p=reject; pct=70;
- p=reject; pct=100;
Why I’m still using p=none policy?
Firstly, it’s because of Microsoft. mails forwarded from Microsoft Outlook Mailbox can fail DKIM check, which is bad. For this reason, I cannot set my DMARC policy to quarantine
or reject
.
Another reason is that I’m using MailChimp to send newsletters to my email subscribers. MailChimp uses its own domain in the Return-Path header and its own DKIM signature for the signup confirmation email, which causes DMARC failure.
The solution to the first problem is deploying ARC (Authenticated Received Chain). Until ARC is implemented on Mailbox providers, I won’t change my DMARC policy.
To solve the second problem, I need to switch to a self-hosted newsletter app like Mailtrain, instead of using an email service provider (ESP) to send newsletters to email subscribers. That way, I can use my own domain name in the Return-Path header and my own DKIM signature in every email. However, this also means I will need to build a good reputation for my email domain and the IP address of my email server so that my emails can land in my subscribers’ inbox instead of the spam folder. That can take some time and effort.
Update (April 19, 2019)
DKIM alignment in emails forwarded by Microsoft Outlook has improved. Also in February 2019, Mailchimp started using the customer’s domain name in the DKIM signature for the signup confirmation emails, so all Mailchimp emails are now DKIM-aligned. I now begin experimenting with the p=quarantine
policy and eventually will switch to the p=reject
policy.
Wrapping Up
Having a p=none
policy is better than having no DMARC record. Although p=none
cannot prevent email spoofing, at least my legitimate emails have a better chance to be placed in inbox.
I hope this article helped you understand and deploy DMARC policy. In part 6, I will share with you all my tips on how to get your emails into the recipient’s inbox instead of the spam folder.
As always, if you found this post useful, subscribe to our free newsletter or follow us on Twitter or like our Facebook page.
Excellent work keep it comung
Love the way you write tutorials!
I must say, a superior guide!
Followed your 1-5 guide to setup the mailsystem, and it’s not only working, I’ve gain a good knowledge how the mail systems actually works..
Yeah your tutorials are really well written! Thank you
Tho not sure how it worked out but passed after followed up instructions. A great and excellent guide!! 5 Stars!!!!!
Thanks for your tutorials. I have learnt a lot. I have set up SFP, DKIM and DMARK through your tutorials.
THANK YOU for this guide!
I followed all 5 parts for my CentOS 8 cloud VPS. And everything worked except the couple of SELinux chcon commands. Perhaps SELinux isn’t enabled on my server. So everything seems OK even though chcon complained “chcon: can’t apply partial context to unlabeled file blahblah”.
Thank you once again. This article is high-quality.
I am amazed though that so many little things could possibly go wrong.
Hi, I followed this tutorial quite a while ago and everything worked smoothly!
I recently updated all my packages on my Ubuntu 18.04 server and suddenly weren’t able to send mails anymore! I checked the logs and it says that opendmarc fails when it checks the mail I send:
My policy has been quarantine with pct=100, however, mails didn’t go into spam folders but were rejected entirely. After setting the policy back to none, emails were received but I still get the same messages in my log. Any help would be really appreciated!
Apparently I should not use the tag symbols for text, so again, this is the actual output:
Go to https://www.mail-tester.com/ to find out why your outgoing emails fail DMARC check.
The only issue it finds is that my rDNS entry maps to MY_URL while the message was sent from mail.MY_URL. The tool even says that I pass the DMARC test. Its authentication results say I fail DKIM (signature verification failed), however, the DKIM test says the signature is valid.
Like your other readers & commenters, I’ve got a lot of value out of your tutorials. They are wonderfully complete, easy enough to comprehend, and the examples *work*.
Here’s a question, though: After adding a dmarc txt record in my dns records, the tester at mail-tester.com complains that my mail wasn’t “authenticated” because rDNS says the mail originated from mail.mydomain.com, but rDNS finds my IP address resolves to just mydomain.com. My best guess is that removing the A record for mail.mydomain.com and replacing it with an MX record would fix this. But I’m a little nervous about tweaking real DNS records based on just a hunch. Your thoughts? Thanks a million … and by the way You are the Greatest, Xiao!
Your mail server hostname (mail.yourdomain.com) should have a DNS A record.
And your mail server IP address should have an rDNS record pointing to
mail.yourdomain.com
.Thank you so much for your response. Unfortunately, I feel more confused now. There is definitely an A record for mail.mydomain.com. I assumed that rDNS returns no more than one name per queried address. Is this incorrect? I checked that
# dig -x +short
returns just the one line stating “mydomain.com.”
Sorry to be dense, but can you confirm that it’s okay/common/appropriate to add a record that directs to the *same* address as resolves to mydomain.com to also resolve as mail.mydomain.com?
The rDNS should be pointed to just one hostname. For your mail server, it should be changed to
mail.yourdomain.com
.You can always change the rDNS record at your hosting control panel, or ask your ISP to change it.
Really awesome tutorial, Worked!!
If I set this up do I need to setup opendmarc with postfix as well? I am looking at your other post from
https://www.linuxbabe.com/mail-server/opendmarc-postfix-ubuntu
and then I saw this as well in your comment area.
OpenDMARC is not required, but it’s better to have it on your own mail server.
Thanks for this tutorial well explained. However i have a confusion about dkim system for my case as follow: I have two vps, one is hosting postfix and name server (vps1), and the second is hosting an email marking application Acellemail (vps2) in which I add sending domains with generated dkim dns record to get the domains validated. So in that case each vps contains different dkim keys and selectors generated. My question is have the sending domains to be signed by dkim keys generated on the vps containing postfix? Thank you
Your setup is fine. As long as the DKIM record is valid, It’s okay that two VPS generate different DKIM keys and selectors.
Not the first and certainly not the last, Thank you for this
Impressive job! i was struggling for a week since one of my client got rejected from several domains he uses to work with.
Your course is the most clearly and effective one i found so far, and little cherry on the cake, working perfectly on the go.
Keep up your job man, i’m a MS guy who’s wondering more and more about the penguin thanks to you man.
Thanks for excellent tutorials! I’m using mailjet as smtp relay. Now Dmarc weekly digest found that I am 100% DKIM aligned, but 0% spf aligned (same as your picture above), becouse Return-Path path doesn’t match my (From) real mail address. Is there a possibility to solve this pls?
There’s really no way to solve that. But it passes the DMARC test.
Thank you for your excellent how-to’s. As you said elsewhere, they are certainly the best I’ve found on the Web.
I could suggest linking from this article to https://www.linuxbabe.com/mail-server/postfix-amavis-spamassassin-clamav-ubuntu
Great Tutorial!!!!!
Thank you LinuxBabe!!!!!
When testing my mail using www.mail-tester.com it tells me “We didn’t find a mail server (MX Record) behind your domain name mydomainname.com.” (replaced my real domain name with mydomainname).
My one and only MX record in my DNS is like so:
Should my MX row be mydomainname.com instead of mail.mydomainname.com? or should I have two MX rows?
In Part 1 we are told to make the MX row domain name “mail.linuxbabe.com” so that is what I did.
You created an MX record for mail.yourdomain.com.
You should create an MX record yourdomain.com.
Simply reverse the domain name in your MX record:
wow! this was an incredible guide. I was searching for a guide like this for a long time before i found yours. I just wanted to say thank you, and that I really appreciate you!
Hi Clayton,
Thanks for your donation 🙂
Hi, I followed this guide https://www.linuxbabe.com/mail-server/postfix-smtp-relay-ubuntu-sendinblue.
Sending blue already gave me mail._domainkey, _dmarc , v=spf1 include:spf.sendinblue.co… details. Is it also necessary to follow this guide and “create SPF and DKIM records first.” so to have double DNS TXT files of _dmarc,v=spf1 etc.?
If all your emails are relay through sendinblue, then you can add the SPF record, DKIM record and DMARC record assigned by Sendinblue.
You don’t need to add a second record for SPF, DKIM, and DMARC.
Hello, you are doing a great job with your free tutorials. I’m trying to build my own server, as a hobby, and I have some queries. There is something that I don’t understand. I can’t create a SPF record to pass. I don’t understand where I’m going wrong :). I thing there is a problem between mail.mydomain.com and mydomain.com 🙂 The message given by mail-tester is something like that: [SPF] mail.mydomain.com does not allow your server xx.xx.xx.xx to use [email protected]. And it provides me a solution : You do not have a SPF record, please add the following one to your domain mail.mydomain.comt:
v=spf1 a mx ip4:xxxxxx ~all. I have added this line and I get the same error.
And I don’t have “identifier alignment” Return path is: [email protected], d=mydomain.com and from is: [email protected]. I don’t know if these 2 problems are related :D. I hope we can give me a hint 🙂 Thank you
Hello,
I believe this is by far, the best tutorial ever. I have just a problem. Everything is fine for me but when I try to reply to a email sent from my email server, for instance if I reply from my Gmail to my [email protected], the answer never reach my mail server. In other words, from my server, the outbound emails are working but the incoming emails not.
Also I’m using an AWS EC2 instance so I had to configure the relay server as you mentioned with Brevo.
Please I need assistance with this.
Amazing content, just finished the installation on Debian 12. Worked like a charm just need to adjust a couple of things compare to Debian 11 (PHP version and installation for instance)
Thank you!
Hello and first of all thank you for this great tutorial!
I added the management of the headers “List-Unsubscribe” and “List-Unsubscribe-Post” in postfix configuration, they are present but are not taken into account (neither by gmail nor by aboutmy.email) because they are not integrated into the DKIM signature, so I wanted to add them via the SignHeaders parameter in opendkim.conf but they are not taken into account and when I use OversignHeaders my DKIM signature is no longer valid. Do you have any advice for me? Thank you in advance
Great article! as a tip I found this DNS Lookup tool very useful https://mate.tools/dns-lookup